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ABSTRACT:  The  tree  locking  protocol  is  a  deadlock-free  method  of  concurrency  control  defined  and 
verified  by  Silberschatz  and  Kedcm  for  data  organized  in  a  directed  tree.  Can  the  tree  protocol  work  for 
applications  that  change  the  tree?  We  define  a  set  of  three  operations  capable  of  changing  any  tree  to  any 
other  tree  and  show  that  the  tree  protocol  continues  to  ensure  serializability  and  deadlock-freedom  in  the 
presence  of  these  operations. 

1.  Introduction 

A  locking  protocol  is  a  set  of  rules  for  locking  data  items  such  that  any  concurrent  computation  fol- 
lowing those  rules  is  guaranteed  to  satisfy  some  set  of  conditions.  Typically,  these  conditions  may  include 
serializability,  deadlock  freedom,  or  order  preservation,  which  are  all  rigorously  defined  below.  For  exam- 
ple, the  two-phase  protocol  guarantees  serializability  and  order  preservation,  but  not  deadlock  freedom,  by 
forbidding  an  action  (a  term  we  use  interchangeably  with  "transaction")  to  place  a  new  lock  after  releas- 
ing a  lock. 

In  [SK80],  Silberschatz  and  Kedem  introduced  a  locking  protocol  that  guaranteed  serializability  and 
deadlock  freedom  without  requiring  two-phasedness.  It  has  since  become  known  as  the  tree  protocol  since 
it  is  based  on  the  assumption  that  that  the  data  resides  in  a  set  of  nodes  organized  in  a  directed  tree.  In 
brief,  the  protocol  allows  an  action  to  begin  by  locking  any  node,  but  to  place  subsequent  locks  only  on  the 
children  of  its  currently  locked  nodes,  as  long  as  it  does  not  lock  a  node  it  has  previously  unlocked.  No 
resuictions  are  placed  on  unlocking  nodes. 

It  is  an  unstated  assumption  of  the  tree  protocol  that  the  tree  graph  remain  the  same  throughout  a 
computation.  This  would  seem  to  be  a  major  limitation,  since  many  database  applications,  such  as  B-tree 
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algorithms,  require  the  on-line  restructuring  of  a  tree.  But  does  the  tree  really  have  to  be  static? 

Several  conflict-preserving  concurrent  B-tree  algorithms,  including  those  in  [Sa76],  [BS77],  and 
[MR85],  do,  in  fact,  bear  a  striking  resemblance  to  the  tree  protocol.  They  always  retain  the  lock  on  a 
parent  node  until  after  its  child  has  been  locked,  and  keep  a  node  locked  as  long  as  there  is  any  possibility  it 
might  have  to  be  modified.  Each  has  been  shown  correct  by  various  ad-hoc  methods. 

In  this  paper,  we  define  a  set  of  operations  for  modifying  trees,  extend  the  tree  protocol  to  computa- 
tions that  include  these  operations,  and  then  show  that  the  resulting  protocol  continues  to  guarantee  serial- 
izability  and  deadlock  freedom.  In  addition,  we  examine  the  conditions  under  which  it  is  order  preserving. 

2.  Tree  Editing  Operations 

We  must  now  decide  on  a  set  of  operations  powerful  enough  to  introduce  arbitrary  changes  to  the 
tree  graph,  yet  restricted  enough  to  ensure  that  the  graph  remain  a  tree  in  all  intermediate  states.  B-tree 
splits  and  merges,  for  example,  are  clearly  too  restrictive  in  that  they  can  only  produce  balanced  trees  and 
can  not  even  change  the  height  of  any  given  node.  Addition  or  removal  of  a  single  edge,  on  the  other  hand, 
is  sure  to  disrupt  the  tree  property. 

Consider,  however,  an  operation  that  changes  (switches)  the  parent  of  a  node  c  from  px  lo  p2  (simul- 
taneously removing  edge  (pi,c)  and  adding  edge  (p2,c),  see  Fig.  1).  If  p2  's  not  c  or  a  descendant  of  c,  the 
graph  is  sure  to  remain  a  tree.  And  yet  a  sequence  of  these  switch  operations  can  rearrange  any  given  tree 
to  any  other  given  tree  with  only  two  Umitations:  the  same  node  would  remain  the  root  and  the  set  of  nodes 
would  remain  the  same. 

The  first  limitation  is  not  important,  since  the  root  can  always  be  used  as  just  a  pointer  to  the  "real" 
root  To  eliminate  the  second  limitation,  we  introduce  another  two  operations.  The  addjeaf  adds  a  new 
leaf  c  to  the  graph,  along  with  the  edge  (p,c)  from  some  old  node  p.  The  remove  leaf  is  the  inverse, 
removing  edge  {p,c)  to  some  leaf  c  and  removing  c  from  the  set  of  nodes.  Both,  of  course,  maintain  the 
tree  property.  Since  the  switch  operation  can  be  used  to  reposition  a  new  leaf  to  an  arbitrary  position  in  the 
tree,  or  lo  reposition  an  arbitrary  node  to  a  leaf  position  where  it  can  be  removed,  the  three  operations 
together  can  truly  restructure  the  tree  arbitrarily. 
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Figure  1. 
The  switch  {p,p\c)  operation. 


Since  the  tree  editing  operations  treat  the  tree  graph  itself  as  shared  data  to  be  examined  and 
modified,  we  must  require  that  certain  locks  be  held  on  the  affected  nodes  before  these  operations  may  be 
executed.  The  switch  operation  requires  that  the  executing  action  hold  write  locks  on  the  two  parent  nodes. 
(Incidentally,  the  locks  on  the  parent  nodes  make  it  possible  for  the  switch  to  appear  atomic  even  though  it 
is  actually  likely  to  be  implemented  in  at  least  two  steps.)  Note  that  the  switch  need  not  hold  any  lock  on 
the  child  being  moved.  The  adii_/ea/ requires  a  write  lock  on  the  parent,  and  grants  a  write  lock  on  the 
new  child.  The  removejeaf  requires  a  write  lock  on  both  parent  and  child.  These  requirements  are  quite 
natural  if  the  graph  data  is  stored  in  the  form  of  a  list  of  children  in  each  node. 

As  it  turns  out,  certain  subclasses  of  the  switch  operation  have  interesting  properties  to  be  discussed 
below.  Let  the  switch' (p,p',c)  be  a  switch  prior  to  which  the  executing  action  has  never  held  a  lock  on  c. 
Let  the  switch" (p,p\c)  be  a  switch  where  either  p  is  a  child  of  p'  or  vice-versa.  A  switch  operation  belong- 
ing to  either  of  these  two  classes  is  called  restricted.  Similarly,  a  computation  where  every  switch  opera- 
tion is  restricted  is  called  switch  restricted. 

It  is  noteworthy  that  the  switch"  subclass  alone  should  be  sufficient  for  most  u-ee-restructuring  appli- 
cations, since  it  is  unusual  to  transfer  a  child  between  two  completely  unrelated  nodes.  To  transfer  a  child 
from  a  node  to  its  sibling,  for  example,  as  in  a  B-tfee  split  or  merge,  we  can  use  one  switch"  to  first  transfer 
it  to  the  common  parent,  then  another  switch"  to  transfer  it  from  the  parent  to  the  sibling. 


3.  Goals 

It  is  now  our  aim  to  explore  the  properties  of  computations  containing  the  tree  editing  operations  and 
following  a  set  of  rules  (to  be  explicitly  defined  below)  akin  to  those  of  the  static  tree  protocol.  We  will 
eventually  show  that  such  computations,  just  like  static  tree  computations,  are  always  serializable  and 
deadlock- free,  but  not  necessarily  order-preserving.  However,  we  will  define  conditions  under  which  order 
is  preserved  between  certain  actions. 

One  property  of  the  static  tree  protocol  that  is  not  always  preserved  in  dynamic  trees  is  the  pre- 
determination of  the  serialization  ordering.  As  we  will  show,  the  order  in  which  two  actions  can  appear  to 
serialize  at  the  end  of  the  computation  can  be  determined  in  static  trees  as  soon  as  both  have  locked  their 
first  nodes.  For  this  property  to  hold  in  dynamic  trees,  the  computation  must  not  contain  any  unrestricted 
switch  operations. 

4.  Notation 

To  proceed  further,  we  must  introduce  unambiguous  notation.  To  simplify  both  this  notation  and  the 
following  discussion,  let  us  initially  restrict  the  protocol  to  exclusive  locks. 

4.1.  States,  Operations,  and  Specifications 

We  consider  a  computation  to  be  a  sequence  of  operations,  each  operation  belonging  to  some 
higher-level  action.  (Since  we  are  dealing  with  concurrent  computations,  the  operations  of  concurrent 
actions  will  be  interleaved.)  The  operations  we  are  concerned  with  here  are  those  locking  and  unlocking 
nodes  and/or  modifying  the  tree,  i.e.  lock_first,  lock._child,  unlock,  switch,  addleaf,  and  remove  leaf . 
Each  operation  changes  the  state  of  the  underlying  data  in  accordance  with  the  operation's  specification. 
To  formulate  the  specifications,  we  must  rigorously  define  the  states  to  which  they  refer. 

We  consider  a  state  of  the  computation  to  consist  of  three  components:  T,  has,  and  had.  T  =  (E,N)  is 
the  current  tree  graph,  where  E  is  the  set  of  edges  and  A'  is  the  set  of  nodes.  Has  is  a  function  mapping 
each  action  to  the  set  of  nodes  on  which  it  currently  holds  locks.  Had  Ls  a  function  mapping  each  action  to 
the  set  of  nodes  on  which  it  either  holds  or  has  ever  held  locks.  (Thus,  has  (a)  c  had{a).)  Alternatively, 
we  shall  consider  has  and  had  to  be  sets  of  pairs  of  the  form  {a,n)  where  a  is  an  action  and  n  is  a  node. 
Thus,  if  ne  has{a),\hcn{a,  n)  e  has.  Let  ance5W/-5(/i, 7)  be  the  set  of  ancestors  of  node  n  in  tree  T. 


We  express  an  operation's  specification  in  two  parts:  a  transformation  from  the  state  in  which  the 
operation  starts  to  the  state  in  which  it  finishes,  and  a  condition  on  the  starting  state  for  which  the  operation 
waits  to  become  true.  (For  example,  a  lock  operation  wails  until  its  node  is  not  locked,  i.e.  is  not  in  the  has 
of  any  other  action.)  We  assume  that  the  operations  are  implemented  correctly,  i.e.  that  in  any  concurrent 
computation  containing  the  above  operations,  the  operations  can  be  placed  in  an  interleaved  order  such  that 
the  conditions  (both  transforming  and  waiting)  of  each  operation's  specification  are  fulfilled  for  the  state 
preceding  and  following  the  operation  in  the  interleaving. 

We  now  list  the  Of)erations  and  their  specifications.  Only  lockjirst  and  lock_child  have  waiting  con- 
ditions. Within  the  context  of  a  specification,  let  r  be  the  state  preceding  the  operation,  and  5  be  the  state 
following  it  We  will  use  state  names  as  subscripts  to  denote  the  state  to  which  some  particular  entity 
refers,  i.e.  T,  for  the  tree  in  state  s.  We  subscript  the  operations  with  the  name  of  the  executing  action,  i.e. 
lock Jir stain)  is  the  lockjirst  operation  performed  by  action  a  on  node  n.  In  both  cases,  we  will  some- 
times omit  the  subscript  when  the  meaning  is  made  clear  by  other  means. 

lockjirstain)  and  lock_childa(p,n): 

waiting  condition:  V  «  tf  hasXh) 

transformation:  7"^  =  7"r  a    haSs  =  haSr^{a,n)  a    hads  =  had^'u  {a,n)- 

unlocka(n): 

transformation:  T,  =  T,  a    has,  =  haSr  -  (a,n)  a    had^  =  had,.. 

switcha(p,p\c): 

transformation:  £j  =  ((£^  -  (p,c))  u  (p',c))  a   N,=N,  /\    has^  =  has,  a    had,  =  had,.. 

addjeafaip^c): 

transformation:  A'^  =  A'^  u  c  a    E,  =  E,.u  (p,c)  a    has,  =  has,  ^  {a,c)  a    had,  =  had,<u  {a,c). 

remove  leaf aipx)'. 

transformation:  A'j  =  A'r  -  c  a    E,  =  E,-  (p,c)  a    has,  =  has,- {a, c)  a    had,  =  had,. 


4.2.  The  Protocol 

A  locking  protocol  is  an  additional  set  of  restrictions  on  the  allowed  compulations.  We  shall  express 
these  restrictions  as  additional  conditions  on  the  starting  state  of  each  operation.  For  example,  for  a 
lock_childa(p,c),  p  must  be  the  parent  of  c,  a  must  already  hold  a  lock  on  p,  and  a  must  never  have  held  a 
lock  on  c.  As  opposed  to  an  operauons'  specification,  the  protocol  conditions  are  achieved  not  by  the 
operation  itself  but  by  the  operations  preceding  it  in  the  computation.  The  protocol  conditions  are: 
lock_firsta(n) 

hadr(a)  =  0  a    n  g  N^ 

lock_childa(p,ny. 

(p,c)  e  E^  A  p  e  hasria)  a   c  6  hadXa) 
unlockain): 

switcha(p,p',c): 

(p,c)  €  Er  A    [p,p']  i  haSria)  a    c  *p'  y\c  4  ancestors (p' ,7^) 
switch' a(p,p',c): 

same  as  switch,  plus  c  i  had^ia) 

switch" a{p,p\c): 

same  as  switch,  plus  {p,p')  e  T^  v  {p',p)  e  T,. 

addjeafaip.c): 

p  €  haSr(a)  A    c  4  N,  A    Vc^  had^b) 

b 

remove  _lec^a^,c): 

(p,c)e  E,  A    '^(c,n)4  £,  a    [p,c]  c  hasria) 

A  computation  satisfies  the  dynamic  tree  locking  protocol  if  and  only  if 

1)  no  action  accesses  a  node  on  which  it  docs  not  hold  a  lock,  and 

2)  the  operations  listed  above  are  the  only  ones  that  place  or  remove  locks  on  nodes  or  modify  the  tree,  and 


3)  the  protocol's  conditions  hold  for  each  occurrence  of  the  above  operation  in  the  state  in  which  it  begins. 

For  short,  such  a  computation  is  called  a  dynamic  tree  compulation.  In  practice,  we  will  not  need  to 
make  use  of  the  distinction  between  transformation,  waiting,  and  protocol  conditions.  For  any  dynamic 
tree  computation,  they  all  hold  equally  true. 

Let  us  name  a  computation's  initial  state  init  and  its  final  stale  fin.  For  every  computation,  we 
assume  that  7",^,  is  a  tree  and  has,^,  =  had,^,  =  <Zi.  By  this  assumption,  by  the  operations'  specifications, 
and  by  the  rules  of  the  protocol,  it  is  easy  to  verify  that  in  every  subsequent  state  s,  T,  is  still  a  tree  and 
hassia)  n  has^ib)  =  0  for  all  distinct  actions  a  and  b. 

43.  Ordering  Relations 

To  prove  serializability  (as  well  as  other  properties),  we  must  show  that  the  conflict  graph  on  the 
actions  in  a  dynamic  tree  computation  remains  acyclic.  Instead,  it  turns  out  to  be  more  convenient  to  show 
that  the  transitive  closure  of  a  certain  superset  of  the  conflict  relation  remains  irreflexive.  We  now  proceed 
to  define  the  various  relations. 

Let  a  — >  b  for  actions  a  and  b  and  state  s  if  there  exists  a  state  r  prior  or  equal  to  5  such  that 

haSrib)  n  hadXa)  *  0.  In  other  words,  a  — >  b\l  a  and  b  both  locked  some  node  n  prior  to  5,  and  a  locked 

+  * 

it  before  b.  Ixl  — >  be  the  transitive  closure  of  — >,  and  let  — >  be  its  transitive  and  reflexive  closure.  We 

s  s  s 

will  indicate  the  closures  of  other  relations  in  the  same  manner. 

Thus,  — >  is  simply  the  confiicts-with  relation  on  actions  achieved  up  to  state  s.  For  this  reason,  a 

+ 
computation  is  (conflict-preserving)  serializable  if  and  only  if  its  — >  is  irreflexive. 

Let  a  — )-^  b  if  there  is  a  path  q  from  node  n  to  node  m  in  7,  such  that  n  €  haSs{b),  m  e  hud^ia),  and 

the  successor  of  n  on  ^  is  not  in  had^ib)  (see  Fig.  2). 

The  ^->  relation  reflects  conflicts  that  may  arise  via  future  lock_chHd  operations.  Thus,  when 
a  — )-^  b,  b  may  lock  the  nodes  on  q,  starting  with  the  successor  of  n  and  continuing  down.  Then,  after  it 
locks  m,  a  — >  b  becomes  true.  Note  that  the  above  definition  allows  a  — >->  a.  For  example,  a  may  hold  a 
lock  on  a  node  and  its  grandchild,  but  not  on  the  interceding  child.  This  is  significant  because  if  some  other 


G) — K5^ — " — *© 

e  hasib)  i  had{b)  e  had{a) 

Figure  2. 

a  ->->  b  by  the  path  from  /i  to  /n. 
If  a  ^b,  m  and  m  may  be  the  same  node. 


action  b  then  locks  the  child  node,  a  — »-»  b  ^->  a  will  result. 

Finally,  let  =^  be  the  union  of  — >  and  — )->.   Thus,  this  relation  reflects  both  conflicts  that  have 

s  s  s 

already  occurred  and  that  could  occur  in  the  immediate  future. 

5.  Intermediate  Results 

As  stated  above,  an  intermediate  step  to  our  goal  of  proving  serializability  and  other  properties  is 

showing  that  =^  remains  irreflexive  throughout  a  dynamic  tree  computation.  To  achieve  this,  we  must 
examine  the  effects  of  the  various  operations  on  — >  and  ^^. 

Lemma  1:  if  lockJirsta{f)  maps  state  r  to  state  s,  and  a,  b  and  d  are  actions,  then: 
1)  a  =>  a  does  not  hold. 

1)  \i  b  *  a  f^  d  *  a  /\  b  =^  d,  then  b  =>  d. 


(Z>^ — -d)—     — -€) 

€  hasrid)  G  hassia)  e  hadrib) 

Figure  3. 

7,  after  a  lockjirstaif). 
If  b  — >->  a  =^  d  then  b  — >->  d  by  the  path  from  n  to  m'. 

(If  a  — >d,  thenm'  is/). 


3)  if  i>  =>  a  =>  ^,  then  /?  =>  d. 

Proof: 
\)a  — >  a  is  impossible  by  definition,  and  a  ->->  a  can  not  hold  since  T,  is  a  tree  and  there  is  only  one  node 
in  hads(a). 

2)  ^  and  r  are  identical  in  all  respects  other  than  had{a)  and  has  (a),  and  these  play  no  part  in  =>  on  actions 
distinct  from  a. 

3)  Since,  as  of  5,  a  has  yet  to  release  any  lock,  a  —^  dis  impossible  for  any  d.  Thus,  let  a  ->->  d  by  path  q 

from  n  to  w  as  defined  above  (see  Fig.  3).   Note  that  since  had,(a)  =  {/],  m  must  be  /.   U  b  -^  a  then 

/  e  hadrib).  But  then  b  ->-»  d  via  q.  Now  let  b  ^-^  a  by  path  q'  from  n  to  m'.  Once  again,  note  n'  =f. 

But  then  fe  -^>->  d  via  ^  followed  by  q'.  O 

+ 
Lemma  2:  Let  lockjirst^if)  map  state  r  to  state  5,  let  a,  b  and  d  be  actions,  and  let  b  =j>  d,  but  not 

b^  d.  Then 

1)  either  b  =  a,OT  d  =  a,  and 

+ 

2)  if  ^  =  d,  then  e  =>  e  for  some  acuon  e. 

Proof: 

1)  Assume    b  *a  ^d^a.     Then,    by    lemma    1    part    2,    there    exists    a    fc'    and    d'    such    that 

»  *  + 

h  =i>  b'  =>  a  =^  d'  =^  d.  But  then,  by  lemma  1  part  3,b'  =^  d  ,  thus  b  =>  d,  which  is  a  contradiction. 

+  +        + 

2)  Let  /?  =  d.  Then,  by  part  1  of  this  lemma,  b  =  d  =  a,  thus  a  =>  a.  Then,  by  lemma  1  pan  1 ,  a  =>  e  =>  a 

for  some  e  ^a.    Thus,  e  =*  a  =^  e.    Then,  by  lemma  1  part  2,  there  exist  an  e'  and  e"  such  that 

•  *  + 

e  ^  e'  ^  a  =*  e"  =>  e.  But  then  by  lemma  1  part  3,  e'  =>  e",  thus  c  =>  e.  D 
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lockJirst(p) 

lock_child{p,c) 

lock_child{c,g) 

lock_child(p,c') 

lock_child{c',g') 

unlock  (c) 

unlock  (.c") 


switch  (p,g',c) 


lock_first{,c) 


lockjirst  (cO 


Figure  4. 
The  non-restricled  switch  makes  b 


As  we  are  about  to  show,  it  is  the  property  of  the  static  tree  protocol  that  lock^rst  is  the  only  ojiera- 

lion  that  introduces  new  edges  to  ^.  Together  with  lemma  2,  this  is  sufficient  to  prove  serializability  and 
go  a  long  way  toward  deadlock  freedom.  The  remainder  of  this  paper  would  be  much  simpler  if  this  pro- 
perty also  held  true  for  the  dynamic  case. 

Unfortunately,  however,  the  switch  operation  can,  under  certain  circumstances,  add  new  edges  to 

=>.  Consider,  for  example,  the  scenario  in  Fig.  4.  Up  to  the  s^'itch  operation,  b  and  d  are  unrelated  in  =>. 
After  it,  however,  b  -^>-^  d.  Furthermore,  the  last  operation  could  have  just  as  easily  been  switcha{p,g,c'), 
resulting  in  d  — )-^  b. 

This  is  not  just  an  artifact  of  a  poor  definition  for  =>.  The  switch  performed  by  a  makes  it  possible 
for  d  to  go  on  to  lock  c,  resulting  in  b  —^  d.  Had  a  performed  switcha{p,g,c'),  b  could  go  on  to  lock  c', 

resulting  in  J  — >  b.  As  we  will  show,  in  the  static  case,  one  can  determine  an  order  in  which  b  and  d  can 
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appear  in  the  serialization  ordering  as  soon  as  both  have  locked  their  first  node. 

Still,  this  properly  of  the  static  protocol  can  be  retained  by  restricting  the  swiich  operation  to  swiich' 
and  switch".  Thus,  we  now  show  that  operations  other  than  lock_Jirst  and  non-restricted  switch  do  not 

+ 
expand  =*. 

Lemma  3:  Let  o  be  any  operation  other  than  lockjirst  or  a  non-restricted  switch,  and  let  o  map  state 

+        + 
r  to  state  s.  Then  =>  c  =>. 

Proof:  Let  us  consider  each  operation  in  turn. 

•  unlockain)  and  remove _leafa{p,c):  Note  that  hass  c  haSr  and  hads  =  had^,  thus  — >  =  — >.  Furthermore, 
since  Es  c  E^,  ->-*  c  — >->. 

•  addjeafaip.c)'-  Since  had,  =  had^  u  (a,c),  and  c  has  never  been  locked  before,  — >  =  — >.  Now  assume 

b  — >->  (i  but  not  b  — »->  d.  Let  ^  be  the  path  from  n  to  m  by  which  b  — >-^  d.  Since  £,  =  £,.  u  (p,c),  and  the 

only  newly  locked  node  is  c,  which  is  a  leaf,  it  must  be  that  c  =  m  /\a=  b.  Note  that  p  must  be  the  prede- 
cessor of  c  in  g,  and  /?  e  hasXb).   Note  p  ?t  n  (otherwise  fo  =  a  =  d,  but  a  -»->  a  can  not  hold  for  the 

single-edge  path  from  n  =  p  lo  m  =  c).  But  then  b  ^->  d  by  the  path  from  n  to  p. 

•  lock_childa(p,c):  Let  6  — >  d  but  not  b  ^  d.    Then   the  conflict  occurred  at  c,  thus  a-d,  and 
c  e  hadrib).  Since  p  e  hasXd),  b  ->->  d  by  the  path  from  p  to  c. 

Now  let  b  — )->  d  but  not  b  — )->  d.  Let  ^  be  the  path  from  n  to  m  by  which  b  -^-^  d.   Since  7^  =  T^, 

and  the  only  newly  locked  node  is  c,  either  c  =  n  aq  =  d,  or  c  =  m  a  a  =  b.    In  the  first  case,  since 
c  4  hadr(a),  b  — >->  d  by  the  path  from  p  to  c  to  m.  For  the  second  case,  see  the  corresponding  argument 

under  add  leaf. 

•  switch' a{p,p',c)  and  switch" a(p,p\c):  There  are  no  newly  locked  nodes  in  s,  thus  -^  =  — >.  Assume  that 
indeed  b  — >->  d,  but  not  b  -^->  d,  for  some  actions  b  and  d.  The  only  new  edge  in  7"^  is  {p',c).  Then  q  (the 
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(p.... 


p)  e  haSr(,a)        (pj  e  haSr(a) 


C)  4  hadria) 


nrn  e  hadri 


Q  G  /ia5,(t/) 


,(b)  (m)  e  hadrib)  (m)  e  had,{b) 

switch':  c  4.  hadria)  switch":  {p,p")  e  E^  switch":  ip',p)  e  £, 

Figure  5. 

T^  prior  to  restricted  switchaip,p',c)  resulting  in  b  -)-^  d. 

+ 
In  all  cases,  b  — >->  d. 


path  from  w  to  m  defined  above  by  which  b  ->->  d)  must  include  {p',c)  (see  Fig.  5). 

If  n  =p',  then  c  i  hadXd).  Furthermore,  since  n  e  has,(,d),  andp'  e.  haSria),  a  must  then  be  d.  But 
then  b  -)-^  d  by  the  path  from  p  to  c  to  m.  Thus,  we  assume  n  *p\  and  therefore  a  -»->  d  by  the  path  from 

n  to  p.  (We  know  the  successor  of  n  on  this  path  is  not  in  had^d)  because  the  path  from  /i  to  m  by  which 
b  — )->  d  goes  through  p"^. 

For  i^i/c/i',  since  c  ^  hadXa).  b  ->-»  a  by  the  path  from  p  to  c  to  m.  Thus,  fc  ->->  a  -^  J. 

For  switch",  if  (p',;?)  e  E^,  then  b  ->-»  d  by  the  path  from  /i  to  />'  to  /j  to  c  to  m.  And  if  (/?,/?')  e  E^, 
then  p  must  be  the  predecessor  of  p'  on  ^,  thus  b  ->^  c/  by  the  path  from  n  to  /?  to  c  to  m.  (We  know  that  p' 
must  have  a  predecessor  on  q  since  p'  ^  n.)  D 
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As  mentioned  above,  one  consequence  of  lemmas  2  and  3  is  that  the  swiich-resiricted  tree  protocol 

(but  not  the  unrestricted  one)  determines  an  action's  position  in  ihe  serialization  ordering  as  soon  as  the 

action  locks  its  first  node: 

+  + 

Lemma  4:  In  any  switch-restricted  dynamic  tree  computation,  if  b=>  d,  then  b  =>  d  as  soon  as  both 

fill 

b  and  d  have  executed  their  lock_first  operations,  and  in  all  subsequent  states. 

+ 
Proof:  Assume  otherwise.  Then  at  least  one  operation  mappmg  state  r  to  state  s  where  /j  =*  d  but 

not  b  =^  d  must  occur  after  both  b  and  d  have  started.  Let  o  be  that  operation.  By  lemma  3,  o  must  be  a 
lockjirsia  for  some  a.  But  by  lemma  2  part  1 ,  a  is  either  b  or  d,  which  is  a  contradiction.  D 

Another  immediate  consequence  of  lemmas  2  and  3  is  that  ^  remains  irreflexive  in  all  states,  thus 
guaranteeing  serializability  for  switch-restricted  computations. 

We  now  proceed  to  show  that  this  result  also  holds  for  non-restricted  computations,  even  though 
lemma  3  is  not  sufficient  for  them.  Doing  this  requires  some  extra  work. 

Definition:  let  lca(yy,T)  be  the  lowest  common  ancestor  of  nodes  v  and  v'  in  tree  T,  i.e.  the  node  in 
((v)  ^  ancestors {v,T))  n  {{v')  u  ance5/or5(v',r))  that  is  furthest  from  the  root  of  7.  Let  A(v,v',r)  be  the 
set  of  nodes  on  the  paths  in  Tfrom  lca(v,v',T)  to  v  and  v'  (including  v,  v',  and  /ca(v,v',r)). 

Lemma  5:  In  any  state  5  of  a  dynamic  tree  computation,  let  v  and  v'  be  any  two  nodes  in  had,{b)  for 
any  action  b.  Then  for  every  node  u  in  A(v,v',rj)  there  exists  some  action  b'  such  that  u  e  hadsib")  and 

b-^b'. 

Proof:  by  induction  on  the  length  of  the  computation.  The  lemma  is  trivially  true  for  the  initial  state. 
We  will  now  consider  each  operation  in  turn,  assuming  the  lemma  holds  in  ihc  slate  r  preceding  it.  It  is 
helpful  to  remember  that,  by  definition,  for  all  actions  a  and  a',  if  a  — >  a',  then  a  — >  a,  and,  for  all  nodes 

V,  if  V  e  had^ia),  then  v  €  had,{a). 

•  unlock^in)  and  remove _leafa{p,c):  for  any  two  nodes,  the  lemma  holds  in  s  the  same  way  it  holds  in  r. 

•  lock^rstgif):  for  any  two  nodes  distinct  from  /,  or  if  fc  ?t  a,  the  lemma  holds  in  s  the  same  way  it  holds  in 
r.  AsfoT  v=fA.b  =  a,had,(a)=  (/),and  A(/",/,r,)=  (/),and/e  had^ia). 
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•  lock_childb(p,c)  and  add_leafh{p,c):  for  any  two  nodes  distinct  from  c,  the  lemma  holds  in  s  the  same 
way  it  holds  in  r.  Also,  if  v  =  c,  but  b*a,  the  lemma  holds  in  5  as  in  r  (in  the  addjeaf  case, 
c  4  had^b)  u  had,{b)  for  any  b  *a).  As  for  v  =  c  a  fc  =  a,  let  v'  be  any  other  node  in  had,{a).  Note  that 
A(c,v',r,)  =  A(p,v',r,)  u  (c).  Since  p  and  v'  are  in  hadria),  we  know  the  lemma  holds  for  the  nodes  in 
A(p,v\Tr),  and  c  e  hadsia). 

•  switcha(p,p',cy.  For  any  { v,v')  ^  had^ib)  for  some  action  b,  if  A(v,v',rs)  does  not  include  both  p'  and  c, 
the  lemma  holds  in  5  as  in  r.  Thus,  let  the  path  from  /ca(v,v',7"^)  to  v  include  edge  {p\c).  Then,  by 
definition  of  lea,  v'  is  not  in  the  subtree  dominated  by  c  (see  Fig.  6).  Then,  in  7,,  the  path  from  lea  {v,v'J^) 
to  V  had  to  include  (p,c). 

By  the  inductive  hypothesis,  since  p  €  A(v,v',r,),  there  exists  a  b'  such  that  p  e  hadXb')  and 

*  *  * 

b  — >  b'.  Thus,  since /J  e  haSr{.a),  b  — >  b'  — >  a. 

Note  that  hiyyj,)  c  A(v,v',r,)  u  \(p,p'Jr)  (see  Fig.  6).  Since  { v,v')  c  hadr{b),  the  lemma  holds 
in  J  as  in  r  for  all  nodes  in  A(v,v',r,).  As  for  nodes  u  in  A(p,p',T^),  since  (p,p'}  c  hadM),  there  exists  an 

a'  such  that  u  e  hadrifl)  and  a  — >  a'.  Thus,  /?  — >  a  — >  a  .  D 


P^         'P' 


A(v,v',7,) 
A(v,v',7,) 
A(p,p'J,)  =  A{p,p'J,) 


Figure  6. 

A(v,v',7'j)  c  A(v,v',rr)  u  A{p,p',Tr) 
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Corollary:  In  any  state  5  of  a  dynamic  tree  computation,  if  nodes  v  and  v'  are  in  had^ia)  for  some 
action  a,  and  some  node  u  is  in  has,(,b)  for  some  distinct  action  b,  and  u  e  ACv.v'.T^),  then  a  — >  b. 

Lemma  6:  Let  swiicha(p,p',c)  map  state  r  to  state  5  in  a  dynamic  tree  computation  containing  no 

+ 
remove  Jecrf  operations,  let  b  and  d  be  actions,  and  let  b  =^  d,  but  not  b  =>  d.  Let  S^  be  the  set  of  nodes  in 

the  subtree  dominated  by  c,  and  note  that  5^  is  the  same  in  T^  and  T^.  Then 

1  )/>—>->  d  by  a  path  that  includes  (p',c),  and 

2)  had,{b)  ^  S„  and 

3)  b^d,  and 

4)  a  b'  ^  b  for  any  action  b',  then  b'  =>  d. 

Proof:  Since  — >  =  — >,  b  — >-»  d  by  a  path  from  node  n  to  node  m  that  includes  edge  (p',c)  (part  1). 

See  Figure  7. 

If  n  =  p',  then  c  i  had^id).  Furthermore,  since  n  e  has^d),  and  p'  e  has^{a),  a  must  then  be  d.  But 
then  b  -^->  d  by  the  path  from  p  to  c  to  m,  which  is  a  contradiction.  Thus,  n  *  p  ,  and  therefore  a  — >-^  d  by 

the  path  from  n  to  p' . 

Assume  there  exists  a  node  m'  in  hads(b)-  S^.   Since  the  computation  contains  no  removejeaf 

* 
operations,  had^{b)  ^N,.  Then  p  €  A(m,m',Tr).   Then  by  the  corollary  to  lemma  5,  fe  — >  a.   But  since 

a  — )^  d,  this  is  a  contradiction.  Thus,  had^ib)  c  5^  (part  2).  Since  n  e  had^{d)  but  n  tf  Sc,b  *d  (part  3). 

Case  1:  b'  — >  b  for  some  node  m'.  Then  m'  e  had^(b)  c  S^.  But  then  fc'  ^>->  d  by  the  path  from  n  to 
c  to  m'  (part  4). 

Case  2:  b'  — >->  b  by  a  path  from  some  node  n'  to  some  node  m'.  Then  n'  e  had^ib)  £  5^.  But  then 
b'  -^-»  d  by  the  path  from  n  to  c  to  n'  to  m'  (part  4).  D 

Lemma  7:  In  any  dynamic  tree  computation  C,  =^  is  irreflexive  in  all  slates. 
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n  )  e  haSrid) 


S,:2hS3JF) 


Figure  7. 


Tr  prior  to  an  (unrestricted)  switcha(p,p',c)  resulting  in  b  ^->  d. 

As  shown  in  lemma  6,  as  long  as  had^ib)  c  A'^, 
had,{b)zS,. 


Proof:  Assume  otherwise.  Let  C  be  the  computation  derived  from  C  by  replacing  every 
remove  leaf a{p,c)  operation  with  an  unlocka(c).  (Since  the  specification  of  remove/ea/ includes  releasing 
a's  lock  on  c  anyway,  this  replacement  only  has  the  effect  of  keeping  c  in  the  U-ee.)  Clearly,  C  is  a  per- 
fectly legal  dynamic  tree  computation,  and,  for  any  state  5  in  C  and  its  corresponding  state  s'  in  C, 
hady  =  hads,  hasy  =  has,,  and  Ey  2  E,-  Therefore,  -p>  =  "J^.  and  -y  2  -+-»■ 

Thus,  if  there  is  a  state  with  a  reflexive  =>  in  C,  there  is  such  a  state  in  C.  Let  i  be  the  first  such 
state.  Since  had,^,  =  0,s  *  inil.  Thus,  let  o  be  the  operation  preceding  s,  and  let  r  be  the  state  preceding  o, 

with  =>  irreflexive.  Lemma  3  shows  that  o  is  either  a  lockjirsl  or  a  switch.  Lemma  2  part  2  shows  that  o 

is  not  a  lock_first.  Thus,  o  is  a  5w»c/:.  ' 

Let   /!jo=*fci=>  •••  =>  fct-i  =*  ^0   ^   a   minimal   cycle   in   =>.    Since   =^   is   irreflexive, 

6^  =*  6(^+1)  mod  *  does  not  hold  for  some  j. 
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By  lemma  6,  part  3,  /:  >  1.  Since  />o-i)modt  =7^  b,,  by  lemma  6,  part  4,  fc(/-i)„,odt  =^  '>o+i)mod*- 
Bui  then  the  cycle  is  not  minimal,  which  is  a  contradiction.  D 

6.  Serializability  in  the  Presence  of  Readers 

+ 
We  say  that  a  computation  is  conflict-preserving  serializable  if  its  — ^  relation  is  irreflexive.  Our  first 

main  result,  a  corollary  of  lemma  7,  is: 

Theorem  1:  Every  dynamic  tree  computation  is  conflict-preserving  serializable. 

The  original  tree  protocol  as  defined  in  [SK80]  dealt  only  with  exclusive  locks.  Since  this  is  a  drastic 
limitation  on  a  protocol's  practicality,  [KS83]  considered  the  problem  of  extending  a  locking  protocol  to 
the  use  of  read-locks.  As  a  first  step,  they  adopted  the  following: 

Segregation  Rule:  an  action  may  place  either  only  read-locks  or  only  wrile-locks. 

In  the  first  case,  the  action  is  known  as  a  reader,  in  the  second,  a  writer.  Thus,  Let  ^  be  the  set  of 
readers  and  W  be  the  set  of  writers. 

With  this  innovation,  certain  alterations  must  be  made  to  the  specifications  of  the  operations.  The 
waiting   condition   V  /i  ^  has,{b)   for   lockjirsta(n)   and   lock_childa(p,n)   has   to   be   replaced    with 

y  n  4  haSrib)  v  [a,b ]  ^  R.  The  protocol  conditions  of  switcha,  addje^a'^^i^  remove Jeafa  must  now  be 

modified  to  include  a  e  W.  The  definitions  of  — >  and  — >^  need  also  be  revamped.  For  a  — >  b  \o  hold 

now,  at  least  one  of  a  and  b  must  be  a  writer.  The  same  is  true  for  a  — >->  b,  except  a  — >-^  a  must  still  hold 

even  if  a  is  a  reader. 

Surprisingly,  as  shown  in  [KS83],  the  segregation  rule  alone  is  insufficient  to  guarantee  serializabil- 

ity  even  in  the  original  tree  protocol.   In  the  presence  of  readers,  =>  may  indeed  cease  to  be  irreflexive. 
(The  problem  occurs  in  the  proof  of  lemma  1.  It  may  be  that  b  =>  a  — )-4  d,  but  not  b  -^-^  d  because  both 

b  and  d  are  readers.) 

Fortunately,  one  of  the  theorems  in  [KS83]  shows  that  any  serializable  write-lock  protocol  can  be 
converted  to  the  use  of  read-locks  if  the  segregation  rule  is  combined  with  the  following: 
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Transitive  Conflict  Rule:  if  w  — >  r  — >  w'  where  r  is  a  reader  and  w  ^t  w',  then  vv  — >  w'  must  also 

Jin  fui  y*" 

hold. 

This  method  may  be  applied  to  the  dynamic  tree  protocol  as  well,  thus  producing  the  segregated 
dynamic  tree  protocol.  We  paraphrase  and  extend  the  proof  of  the  relevant  theorem  in  [KS83]  below: 

Lemma  8:  The  segregated  dynamic  tree  protocol  is  serializable. 

Proof:  Assume  there  exists  a  computation  C  where  ^o  "rf  ^i  "T^  ' ' '  "rf  (^n-i  "7^  '^o  'S  a  minimal 
cycle  in  — >.  Note  that  since  readers  can  not  conflict  with  other  readers,  a,  €  /?  impUes  {a,_i  ,a,+i )  c  W. 
Then  there  are  two  cases. 

Case  \:  n>2.  Then  i-\*i  +  \  (modulo  n)  for  all  0<  i  <  n-l.  Thus,  since  the  cycle  is  minimal, 
a(.-i)mod« '^<2(,+i)n,odn-  Then  by  the  transitive  conflict  rule,  if  a,  is  a  reader,  then 
a(i-i)modn  — >  a(,+i)mod«-  But  then  the  cycle  is  not  minimal,  so  all  the  a.'s  must  be  writers.  Let  C  be  C 
restricted  to  the  writer  actions.  Since  reader  actions  are  not  allowed  tree-modifying  operations,  C  is  a  per- 
fectly legal  writer-only  dynamic  tree  computation.  But  now  ao  "T^  ' '  '  ~^  ^n-i  "rf  ^o  '"  C",  which  con- 
tradicts Theorem  1 . 

Case  2:  n<2.  Since  a  — >  a  is  impossible  by  definition,  n  =  2.  If  both  qq  and  a,  are  writers, 
proceed  as  in  case  1.  Otherwise,  since  both  can't  be  readers,  let  Aq  ^  ^^  reader.  Let  C  be  C  restricted  to 
the  writer  actions  and  qq.  and  let  aq  now  be  a  writer.  Since  the  readers  are  not  allowed  tree  modifying 
operations,  and  the  locks  of  Oq  conflicted  with  the  locks  of  all  the  writers  anyway,  C  is  a  legal  writer-only 
dynamic  tree  computation.  But  now  qq  — >  fli  — >  Oq  in  C  which  conu^adicts  Theorem  1.  D 

Jin  fir, 

We  should  note  that  the  transitive  conflict  rule  may  be  enforced  by  having  all  writers  start  at  the  root 
(as  suggested  in  [KS83]),  or  by  resuicting  readers  to  locking  only  one  node  (i.e.  disallowing  them 
lockchild  operations). 

7.  Deadlock  Freedom 

Deadlock  is  a  state  where  there  exists  a  set  of  actions  a^,  •  •  ■  ,a,_i  such  that  a,  is  waiting  for  a 
resource  held  by  a(,+i)niod»i-   In  our  context,  locks  are  the  only  resource  for  which  an  action  can  wait. 
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Although  waiting  can  be  initiated  by  both  the  lockjirsi  and  lock_child  operations,  the  lockjirst  can  not 
play  a  part  in  the  deadlock  cycle  because  an  action  can  never  be  holding  other  locks  while  waiting  for  its 
first  lock. 

Thus,  in  a  segregated  dynamic  tree  protocol,  state  r  is  said  to  be  deadlock-prone  if  there  exists  a  sets 
of  actions  uq,  ■  ■  ■  ,a„.^,  nodes  po.  " " '  .P/i-i.  a"d  nodes  Cq,  •••,£,_!  such  that,  for  Q<i<n-\, 
(p„c,)  e  Er,  p,  €  hasria,),  c,  i  hadria,),  c,  e  >uis,(a(,+i)n,odn).  and  a,  e  /?  implies  a(,>i)modn  e  V/.  From 
such  a  state,  deadlock  would  result  if  each  a,  issued  lock_child{p,,c,)-  Conversely,  since  lock_child  opera- 
lions  are  the  only  ones  that  can  be  involved  in  the  deadlock  cycle,  deadlock  can  only  be  reached  by  going 
through  a  deadlock -prone  state. 

Theorem  2:  A  writer-only  dynamic  tree  computation  C  never  enters  a  deadlock-prone  state  s. 

Proof:  Assume  otherwise.  By  definition  of  deadlock-prone  state,  a,  ->->  a(,+i)mod  n  by  the  path  from 

p,  to  c,.  Thus,  flo  =>  flo.  which  contradicts  lemma  7.  D 

As  with  serializability,  problems  arise  when  we  try  to  extend  this  result  to  compulations  containing 
readers.  In  fact,  as  illustrated  by  Fig.  8,  even  a  segregated  computation  satisfying  the  original  (non- 
dynamic) tree  protocol  and  the  transitive  conflict  rule  may  reach  a  deadlock-prone  stale.  Thus,  to  guaran- 
tee deadlock  freedom,  we  need  to  enforce  some  variation  of  the  transitive  conflict  rule,  such  as: 

For  any  state  s,  if  w  — >->  r  — >-^  w'  where  r  is  a  reader  and  w  ^  w',  then  w  — »->  w'  must  also  hold. 

s  s  s 

+ 
It  is  easily  shown  by  an  argument  similar  to  the  proof  of  lemma  8  that  this  guarantees  that  — >-»  stays 

irreflexive  in  all  states,  thus  making  a  deadlock-prone  state  impossible.   We  should  also  note  that  the 

methods  mentioned  above  for  enforcing  the  transitive  conflict  rule  also  work  to  enforce  this  variation. 

8.  Order  Preservation 

We  say  that  action  a  completely  precedes  action  b  ii  a  releases  all  its  locks  before  b  places  its  first 

lock.  A  computation  is  order-preserving  if,  whenever  a  — >  b,  b  does  not  completely  precede  a.  In  other 

words,  if  two  actions  actually  executed  in  a  certain  order,  they  shouldn't  appear  by  the  results  of  the  com- 
putation to  execute  in  the  opposite  order. 
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rl  G  /? 


r2G  ;? 


w\€  W 


w2e  W 


lock_first  (p) 
lock  child {p,c) 
lock_child(c,g) 
unlock  (c) 


lock_first  (p) 
lock_child(p,c') 
lock_child{c',g') 
unlock  (cO 


lockjirst  (c) 


lock  first  {c') 


Figure  8. 

A  serializable  segregated  computation  satisfying  the  transitive  conflict  rule 
with  a  deadlock-prone  final  state: 
r  2  may  wait  for  iv  1  at  c, 
w  1  may  wait  for  rl  al  g, 
r  1  may  wait  for  w  2  at  c', 
w2  may  wait  for  r2  aig'. 
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lock  Jir Slip) 
lock_child(p,c) 
unlock  (p) 


lock  child  (eg) 


lock_first(p) 
unlock  (p) 


lock_ftrst{g) 
unlock  ig) 


Figure  9. 


Even  though  b  completely  precedes  d,d  —^  a  —>  b. 


The  dynamic  tree  locking  protocol,  like  the  original  tfee  protocol,  does  not  in  general  guarantee  order 
preservation.  (See  Fig.  9  for  an  example.)  However,  both  protocols  can  be  shown  to  preserve  the  temporal 
ordering  between  those  pairs  of  actions  related  to  each  other  in  one  of  a  number  of  ways. 

In  the  case  of  the  static  tree  protocol,  the  three  relationships  known  to  us  can  be  stated  succinctly. 
Order  will  be  preserved  between  action  b  and  a  subsequent  action  dif  d  either 

1)  locked  a  node  also  locked  by  b,  or 

2)  locked  a  node  that  is  an  ancestor  of  a  node  locked  by  b,  or 

3)  locked  a  node  that  is  a  child  of  a  node  locked  by  b. 

In  the  dynamic  tree  case,  both  the  statement  and  proof  of  parts  2  and  3  above  are  complicated  by  the 
transiency  of  child  and  ancestor  relationships:  one  is  forced  to  state  precisely  when  these  relationships  must 
have  held  in  relation  to  the  time  that  b  and  d  locked  the  nodes  involved.  Thus,  we  break  up  this  statement 
into  three  separate  theorems: 
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Theorem  3:  Let  C  be  a  computation  of  the  segregated  tree  protocol  wherein  action  b  completely  pre- 
cedes action  d.  If  there  exists  a  node  n  e  (hadp^{b)  n  fiadfi„(d)),  then  d  —>  b  does  not  hold. 

Proof:  Let  us  construct  a  new  computation,  C,  consisting  only  of  the  writers  in  C,  as  well  as  b  and  d. 
Since  reader  actions  are  not  allowed  switch,  addjecrf,  or  removejeaf  operations,  C  is  a  perfectly  legal 
segregated  dynamic  tree  computation. 

Now,  make  both  b  and  d  writers  in  C.  Since  b  and  d  are  not  concurrent,  and  their  locks  conflict  with 
all  the  other  (writer)  actions  anyway,  C  is  still  a  perfectly  legal  dynamic  tree  computation,  but  now  consist- 

+ 
ing  only  of  writers.  And  since  C  satisfied  the  transitive  conflict  rule,  d  — ->  b  can  hold  in  C  only  if  it  holds 

in  C. 

Note  thai  even  if  both  b  and  d  were  readers  in  C,  they  are  writers  in  C,  thus  b  — ->  d  in  C  (at  n). 

Therefore,  by  lemma  7,  d  — >  b  can  not  hold  in  C.  D 

It  is  noteworthy  that  the  most  common  method  of  enforcing  the  Transitive  Conflict  Rule  —  having 
all  actions  start  at  the  same  node  —  also  makes  the  dynamic  tree  protocol  order-preserving  by  Theorem  3. 
Thus,  Theorems  1,  2,  and  3  can  serve  as  rigorous  correctness  proofs  for  the  B-tree  algorithms  in  [Sa76], 
[BS77],aiid[MR85]. 

Theorem  4:  Let  C  be  a  computation  of  the  segregated  tree  protocol  wherein  action  b  completely  pre- 
cedes action  d.  If  C  is  switch-restricted,  and,  in  some  state  s,  some  node  n  e  has^id)  is  an  ancestor  of  some 

+ 
node  m  e  hadAb),  then  d  — >  b  does  not  hold. 

Proof:  Lei  us  construct  C  from  C  just  as  in  Theorem  3.  Lei  5  be  the  first  stale  in  C  where 
n  €  hassid),  m  e  had^ijb),  and  n  is  an  ancestor  of  m.  Let  o  be  the  operation  preceding  s,  and  let  r  be  ihe 
state  preceding  o.  Since  r  docs  not  satisfy  the  above  conditions,  o  must  be  either  lock_Jirstj{n)  or 
switcha(p,p',c)  for  some  a  where  (p',c)  is  an  edge  on  the  path  from  n  to  m. 

If  o  is  a  lockjirst,  then  the  successor  of  n  on  ihe  path  from  n  to  m  is  not  in  had^^d)  =  [n],  and  thus 
b  — )->  d  by  the  path  from  n  to  m.  Unfortunately,  we  can  make  no  assumption  about  the  successor  of  n  in 

the  o  =  switcha(p,p' ,c)  case.  However,  we  can  show  that  b  =>  d  also  holds  there  anyway  (see  Fig.  10). 
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lca(p,p',T^) 


n  )  e  haSr(.d) 


p)  e  haSria)        (p ')  e  haSria) 


m)  G  hadrib) 


Figure  10. 
r,  prior  to  a  restricted  switch  resulting  in  n  e  ancestors  (m^T^). 


Since  p  is  an  ancestor  of  m  g  hadr(b)  in  r,  and  the  conditions  of  the  case  do  not  hold  in  r, 
n  G  has,{d)  can  not  be  p  or  an  ancestor  of  p.  Furthermore,  since  p  g  has^ia),  a  can  not  be  d.  And  since 
p'  e  haSria)  but  n  g  haSrid),  p  also  isn't  n.  However,  since  (p',c)  is  an  edge  on  the  path  from  n  to  m  in  5, 

n  is  an  ancestor  of  p'.  Thus,  n  g  K(p,p' ,7^  -  {p,p'\.  Then,  by  the  corollary  to  lemma  5,  a  — >  d. 

For  a  5wj7c/j",  h{p,p\Ts)  =  \p,p'\.  Thus,  o  is  not  a  ^w/'/c/i".  Since  C  is  switch-restricted,  o  is  there- 

+ 
fore  a  5w»c/j',  and  c  4  had^ia).  Then  b  — ♦->  a  by  the  path  from  p'  to  c  to  m.  Thus,  b  — >->  a  — >  d,  and 

+ 
b  =>  d  whether  o  is  a  lock_first  or  a  5w/rcA. 

+  ^ 

For  d  — >  fo  to  hold  in  C,  it  must  hold  in  C .  Then,  since  C   is  writer-only  and  switch-restricted, 

fin 

+ 

d  =^  b  must  hold  by  lemma  4.  But  by  lemma  7  and  the  previous  result,  this  is  impossible.  D 

We  should  note  that,  as  illustrated  by  the  counterexample  in  Fig.  1 1,  the  condition  that  C  be  switch- 
restricted  really  is  necessary  for  Theorem  4  to  hold. 


24 


lockjirsiiv  1) 
lock_child{y  l,n) 
lockj:hild(n,v2) 
lock_child{v2,m) 
lockj:hild{m,v3) 
lock_child{v3,v4) 
unlock  {n) 
unlock  (m) 
unlock  (v  3) 


lock_firsi{,m) 
lock_child{m,v3) 
unlock  {m) 


locker  St  (m) 
unlock  (m) 


lockJirst{n) 
unlock  {n) 


switch  {vl,v\,m) 
switch  (v  l,v4,n) 
unlock  (v  4) 


lock_child{v3,v4) 
lock  child (v A, n) 


Figure  11. 

Because  the  computation  is  not  switch-restricted, 
d-^a-^b 

fin  fin 

even  though  b  —y^  d  right  after  d's  lockjirst, 
and  even  though  b  completely  precedes  d. 
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The  final  installment  of  the  order  prcscrv-aiion  stor>'  requires  some  preparatory'  work. 

Lemma  9:  Let  p  be  the  parent  of  some  node  c  in  some  state  r  of  a  dynamic  tree  computation,  and  let 
p'  be  the  parent  of  c  in  some  subsequent  state  s.  U  p  e  had,(a)  for  some  action  a,  then  there  exists  some 

« 
action  a'  such  thatp'  6  hadsi.a'),  and  a  — >  a. 

Proof:  Trivial  if  p=p'.  If  P'^p',  then  between  r  and  s  occurred  the  operations 
w,  =  swiichf  (p,_i,p,,c),  1  </  <k,  where po  - P  andfij  =  p'.  Since  e-,  held  a  lock  on  p  as  of  wi,  and  €•_  is  a 
writer,  either  a  =  e],  or  a  — >  e^.   And  whenever  e,  j^  e,*i,  e,  held  a  lock  on  p,  before  e,^.i,  therefore 

e,  — >  e,+i .  Thus,  a  — >  e*.  Since  p'  e  hadsiet),  the  lemma  holds  for  a'  =  e^  □ 

Lemma  10:  If  d  -^-»  a  by  a  path  from  n  lo  m,  and,  in  some  previous  state,  some  action  b  *a  held  a 

+ 
lock  on  the  parent  of  m,  then  b  =^  a. 

Proof:  Let  p  be  the  parent  of  m  in  5.  By  lemma  9,  there  exists  a  fc'  such  that  b  —^  b'  and  p  e  had^ib') 

(see  Fig.  12).  If  fe'  =  a,  we  are  done.  Thus,  assume  b'  ^a.  \i  n  ^ p,  then  b'  — >-»  a  by  the  path  from  n  top. 

* 
And  if  n  =  p,  b'  — >  a  at  n.  Thus,  fc  — >  fc'  =>  a.  n 


<? 


E  /layj(a) 

p)  e  /z^.C/;-) 
(^  €  had,{d) 
Figure  12. 
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Theorem  5:  Let  C  be  a  computation  of  the  segregated  tree  protocol  wherein  action  b  completely  pre- 
cedes action  d.  If,  in  some  state  q  of  C,  some  node  p  e  had^{b)  is  the  parent  of  node  c  i  fiad^id),  but 

c  e  hadf,„{d),  then  d  — >  b  does  not  hold. 

Proof:  Let  us  construct  C  from  C  as  in  Theorem  3,  and  let  us  further  modify  C  by  replacing  every 
remove Jectf tip, c)  with  an  unlocktic).  By  the  same  simple  argument  as  in  the  proof  of  lemma  7,  C  is  still 
a  legal  dynamic  tree  computation,  and  d  —>  b  holds  in  C  only  if  it  holds  in  C  The  terms  of  the  theorem 
must  also  still  apply  to  C. 

Since  c  e  hadji„(d),  d  executed  either  a  lockjirstaic)  or  a  lock_childd(p',c)  for  some  p'.  (An 
addjeafdip  ,c)  is  impossible  since  c  was  in  the  u-ee  before  d  locked  it.) 

First,  consider  the  lock_child  case.   Let  i  be  the  state  right  before  the  lock_child.   By  lemma  9, 

*  *  + 

p  e  hadsib')  for  some  b'  such  that  b  — >  b'.  But  since  p  e  haSsid),  b'  —^  d.  Thus,  since  b*d,b—^d, 

+  + 

thus  b—>d.  Therefore,  by  lemma  7,  d  — >  i»  can  not  hold. 

fin  fi" 

Now,  consider  the  lockjirst^ic)  case.  Assume  d  —^  b  and  proceed  by  contradiction.  Let  5  be  the 

first  state  in  C  such  that  d  =^  b.   Note  that  q  comes  before  i.  Let  o  be  the  operation  preceding  s.   By 
lemma  3,  o  must  be  either  a  lockjirst,  or  a  non -restricted  jwi/c/i,  for  some  action  e. 

First,  let  o  be  a  lockjirsl,.  Then,  by  lemma  2,  e  =  d,  and  o  is  lockjirst^ic).  Note  that  d  -^  fc  is 
impossible  since  has^{b)  =  0.  Also  note  that  d  — >  a  is  impossible  for  any  a  since  d  has  yet  to  unlock  any 

node.  Thus,  d  -)-> a  ^  b  ior  some  a.  Since  hadM)  ={c],d  -^h> a  by  a  path  from  some  n  to  c.  But 

then,  by  lemma  10,  b  =>  a,  which  contradicts  lemma  7. 

Now,  let  o  be  a  switch,(j),,p'„c,),  and  let  r  be  the  state  preceding  o.  Let  d  also  be  known  as  ao.  b  as 
flt,  and  let  flo  =*  a  1  =^  •  •  •  =>  a*  be  the  shortest-length  path  connecting  d  to  fc  in  =>.  Note  that  d  -^  b 
is  impossible  since  fias^{b)  =  0. and  d  — >  fe  is  impossible  since  b  completely  precedes  d.  Thus,  k  >  ]. 
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By  lemma  6  part  4,  if  a,  =>  a^+i  does  not  hold  for  some  i  between  1  and  k-\  inclusive,  then 

a,_i  =>  a,+i .  But  then  the  path  was  not  of  minimal  length,  which  is  a  contradiction.  Thus,  a^  =>  b.  And 

+ 
since  d  =>  b  does  not  hold,  neither  does  d  =>  a^. 

Thus,  by  lemma  6,  part  \,d  — >->  Aj  by  a  path  from  nlom  that  includes  (p',,c,).  By  part  2  of  lemma 
6,  c  is  in  the  subtree  dominated  by  c,.  Thus,  d  — >-»  O)  also  holds  by  the  path  from  n  to  c,  to  c.  But  then, 

+ 
by  lemma  10,  fc  =>  a  i ,  which  contradicts  lemma  7.  D 

9.  Conclusion 

The  Silberschatz  and  Kedem  tree  protocol  can  be  extended  to  dynamic  trees  by  allowing  the 
general-purpose  operations  switch,  addjeaf,  and  remove  leaf .  The  resulting  protocol  is  serializable  in 
both  its  exclusive-lock  only  and  segregated  varieties,  and  is  no  less  deadlock-free  then  the  original  tree  pro- 
tocol. However,  unless  the  switch  operation  is  further  restricted,  it  no  longer  has  the  original  protocol's 
property  of  determining  an  action's  position  in  the  serialization  ordering  as  soon  as  the  action  locks  its  first 
node.  We  have  also  explored  under  what  circumstances  either  protocol  guarantees  order  preservation,  and 
found  that  these  too  can  depend  on  restricting  the  switch  operation. 
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